2001 Conferences

7th CACR Information Security Workshop

Gary McGraw, Cigital

Java Security meets Smart Cards

The Java security landscape has seen a number of fundamental changes since its inception. Once based on a strict binary distinction between trusted and untrusted code, the language-based Java security model has become much more flexible and complicated. As Java is adopted throughout the enterprise, showing up in everything from middleware servers to smart cards, the security situation takes on more importance. Java 2 is built around a revised security model that includes code signing, permissions, principals, and policy. Though this makes Java security completely customizable and flexible, it also complicates the code base and (Java applications that use it) significantly. Stripped down versions of Java including Java Card 2.1 are also gaining prominence. Security is essential for almost every smart card application, but the complex Java 2 security model is much too large to port directly to a smart card. The security model has thus been radically altered to fit on a card, leaving many security challenges as a result.

Speaker's Bio
Gary McGraw, Cigital, Inc.'s Vice President of Corporate Technology, researches software security and sets technical vision in the area of Software Risk Management. A noted authority on mobile code security, Dr. McGraw chairs the National Infosec Research Council's Malicious Code Infosec Science and Technology Study Group. In addition to consulting with major e-commerce vendors, including Visa and the Federal Reserve, he has written over sixty peer-reviewed technical publications. Dr. McGraw has also functioned as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on the Advisory Boards of Counterpane, Finjan, NetCertainty, and Tovaris as well as advising the CS Department at UC Davis. Dr. McGraw co-authored both Java Security (Wiley, 1996) and Securing Java (Wiley, 1999) with Prof. Ed Felten of Princeton, and Software Fault Injection (Wiley 1998) with Jeffrey Voas. He is currently writing a book entitled Building Secure Software (Addison-Wesley, 2001). Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles.